Cross Site Script Inclusion (XSSI) - Angular 5 and 4

Cross-site script inclusion stands for XSSI, also known as JSON vulnerability. It uses to allow an attacker's website to read data from a JSON API. The attack works on older browsers by overriding native JavaScript object constructors, and then including an API URL using a <script> tag.

This attack is only successful if the returned JSON is executable as JavaScript. Servers can prevent an attack by prefixing all JSON responses to make them non-executable, by convention, using the well-known string ")]}',\n".

Angular's HttpClient library recognizes this convention and automatically strips the string ")]}',\n" from all responses before further parsing.

Most of the update a page's content dynamically via asynchronous JavaScript requests that return JSON data. Sometimes, JSON can contain sensitive data, and if the correct precautions are not in place, it may be possible for an attacker to steal this sensitive information.

For example, I have created a standard HTML page and send you the link; since you trust me, you visit the link I sent you. The page contains only a few lines -